I've implemented DANE support for Postfix, but want to make the
implementation a bit more robust in the face of possible future
changes in OpenSSL.
I want to use SSL_CTX_set_cert_verify_callback() to how certificate
verification is performed. I need to be able to selectively
add/remove from the set of "untrusted" additional certificates in
X509_STORE_CTX. Unfortunately, while:
X509_STORE_CTX_set_chain()
sets ctx->untrusted, the similarly named:
X509_STORE_CTX_get_chain()
returns ctx->chain, which is already populated and useful during
the simpler one cert at a time verification callback, but is always
empty at the start of the cert_verify_callback().
I could simply bypass the API and directly manipulate ctx->untrusted,
but I am reluctant to do that. Should I go ahead and do that?
Will there perhaps be a library feature that exposes the chain
elements to the cert_verify_callback?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
